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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 

SERVICE 

SUBJECT:  Audit  Report  on  Application  Controls  Over  the  Retiree  and  Casualty  Pay 

Subsystem  at  the  Defense  Finance  and  Accounting  Service  Cleveland  Center 
(Report  No.  99-083) 


We  are  providing  this  report  for  review  and  comment.  The  audit  was  conducted  in 
support  of  our  financial  statement  audits  required  by  the  Chief  Financial  Officers  Act  of 
1990  and  the  Federal  Financial  Management  Act  of  1994.  This  report  is  the  first  of  two 
reports  that  will  be  issued  on  the  Defense  Retiree  and  Annuitant  Pay  System.  This  report 
addresses  our  audit  of  the  application  controls  over  the  Defense  Finance  and  Accounting 
Service’s  Retiree  and  Casualty  Pay  Subsystem,  one  of  two  subsystems  in  the  Defense 
Retiree  and  Annuitant  Pay  System.  A  separate  report  will  address  our  audit  of  application 
controls  over  the  Defense  Finance  and  Accounting  Service  Annuitant  Pay  Subsystem. 

DoD  Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly. 
Management  did  not  provide  comments  on  the  draft  report.  Therefore,  we  request  that 
comments  on  all  recommendations  be  provided  by  March  23,  1999. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  Questions  on  the  audit 
should  be  directed  to  Ms.  Kimberley  A.  Caprio  at  (703)  604-9139  (DSN  664-9139), 
e-mail  KCaprio@dodig.osd.mil,  or  Mr.  Dennis  L.  Conway  at  (703)  604-9158  (DSN 
664-9158),  e-mail  DConway@dodig.osd.mil.  See  Appendix  E  for  the  report  distribution. 
Audit  team  members  are  listed  inside  the  back  cover. 


Robert  J.  Lieberman 
Assistant  Inspector  General 
for  Auditing 
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Application  Controls  Over  the  Retiree  and  Casualty  Pay 
Subsystem  at  the  Defense  Finance  and  Accounting  Service 

Cleveland  Center 


Executive  Summary 


Introduction.  This  report  is  the  first  of  two  reports  resulting  from  our  audit  of 
application  controls  for  the  Defense  Retiree  and  Annuitant  Pay  System.  This  report 
addresses  our  audit  of  the  application  controls  over  the  Defense  Finance  and  Accounting 
Service  Cleveland  Center’s  Retiree  and  Casualty  Pay  Subsystem  (the  Subsystem),  one  of 
two  subsystems  in  the  Defense  Retiree  and  Annuitant  Pay  System.  A  separate  report  will 
address  our  audit  of  application  controls  over  the  Defense  Finance  and  Accounting 
Service  Annuitant  Pay  Subsystem.  The  Defense  Finance  and  Accounting  Service  (DFAS) 
requested  that  we  issue  separate  reports  on  these  subsystems. 

The  Subsystem  accounted  for  1.8  million  retirees  and  disbursed  an  average  of  $2.4  billion 
per  month  from  the  DoD  Military  Retirement  Trust  Fund  (the  Fund)  in  FY  1998.  Because 
of  the  high  volume  and  dollar  value  of  the  transactions,  effective  controls  oyer  the 
Subsystem  are  essential  to  ensuring  authorized,  accurate,  complete,  and  reliable  retired 
pay  data  for  the  Fund. 

Objectives.  The  overall  audit  objective  was  to  evaluate  general  and  application  controls 
over  the  Defense  Retiree  and  Annuitant  Pay  System  to  ensure  the  production  of 
authorized,  accurate,  complete,  and  reliable  data.  This  report  addresses  our  review  of 
selected  application  controls  over  the  Subsystem.  (Application  controls  are  the  policies 
and  procedures  that,  when  implemented,  provide  assurance  that  transactions  are  valid, 
properly  authorized,  and  completely  and  accurately  processed.)  Also,  we  reviewed  the 
management  control  program  for  the  Retiree  and  Casualty  Pay  Subsystem. 

Results.  The  DFAS  Cleveland  Center  did  not  fully  implement  or  maintain  controls  oyer 
the  accuracy  of  information  in  the  Retiree  and  Casualty  Pay  Subsystem.  Although  this 
audit  did  not  detect  unauthorized  or  fraudulent  activity,  implementation  of  these  controls 
will  increase  managers’  confidence  that  data  in  the  Subsystem  are  accurate  and  authorized. 
See  the  Finding  for  a  discussion  of  the  audit  results. 

The  DFAS  Cleveland  Center  had  implemented  controls  to  assure  that  data  were  complete 
and  reliable.  However,  the  additional  management  controls  recommended  in  this  report 
will  better  assure  DFAS  that  erroneous  or  rejected  data  can  be  detected  in  a  timely  manner 
to  prevent  or  correct  misstatements  in  the  financial  statements  of  the  Fund.  See  Appendix 
A  for  details  on  the  management  control  program. 


Summary  of  Recommendations  We  recommend  that  the  Director,  DFAS  Cleveland 
Center,  develop  new  review  procedures  where  necessary;  enforce  existing  review 
procedures;  document  and  maintain  an  audit  trail  of  corrective  actions;  and  update 
standard  operating  procedures  to  reflect  the  current  state  of  operations  for  the  Subsystem. 

Management  Comments.  The  Director,  Defense  Finance  and  Accounting  Service  did 
not  comment  on  the  draft  report,  issued  on  November  20,  1998.  Therefore,  we  request 
that  management  provide  comments  on  this  final  report  by  March  23,  1 999. 
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Background 


This  report  is  the  first  of  two  reports  resulting  from  our  ongoing  audit  of  the 
application  controls  for  the  Defense  Retiree  and  Annuitant  Pay  System.  The  audit 
was  conducted  to  support  our  audits  required  by  the  Chief  Financial  Officers  Act 
of  1 990  and  the  Federal  Financial  Management  Act  of  1994.  A  separate  report 
will  address  our  audit  of  the  application  controls  over  the  Defense  Finance  and 
Accounting  Service  Annuitant  Pay  Subsystem.  The  Defense  Finance  and 
Accounting  Service  (DFAS)  requested  that  we  issue  separate  reports  on  these 
subsystems. 

On  August  8,  1991,  the  DoD  Corporate  Information  Management  Financial 
Management  Steering  Committee  approved  the  DFAS  proposal  to  standardize  and 
consolidate  DoD  retiree  and  annuitant  pay  systems.  The  DFAS  Cleveland 
Center’s  Retired  Pay  System  and  the  DFAS  Denver  Cent(  r  s  Annuitant  Pay 
System  were  integrated  as  the  Defense  Retiree  and  Annui  tant  Pay  System 
(DRAS).  The  DFAS  Cleveland  Center’s  Retired  Pay  System  was  renamed  the 
Retiree  and  Casualty  Pay  Subsystem,  and  the  DFAS  Denver  Center’s  Annuitant 
Pay  System  was  renamed  the  Annuitant  Pay  Subsystem. 

Retiree  and  annuitant  pay  transactions  are  processed  on  computers  managed  by  the 
Defense  Information  Systems  Agency  (DISA).  The  DISA  Defense  Megacenter, 
Chambersburg,  Pennsylvania,  processes  transactions  for  the  DFAS  Cleveland 
Center’s  Retiree  and  Casualty  Pay  Subsystem.  The  Defense  Megacenter,  Denver, 
Colorado,  processes  transactions  for  the  DFAS  Denver  Center’s  Annuitant  Pay 
Subsystem. 

This  report  discusses  our  review  of  selected  application  controls  over  the  DFAS 
Cleveland  Center’s  Retiree  and  Casualty  Pay  Subsystem  (the  Subsystem). 
Application  controls  are  the  policies  and  procedures  that,  when  implemented, 
provide  assurance  that  transactions  are  valid,  properly  authorized,  and  completely 
and  accurately  processed.  The  Subsystem  was  used  to  account  for  1.8  million 
retirees  and  to  disburse  a  monthly  average  of  $2.4  billion  from  the  DoD  Military 
Retirement  Trust  Fund  in  FY  1998. 


Objectives 


The  overall  objective  was  to  evaluate  general  and  application  controls  over  DRAS 
to  ensure  authorized,  accurate,  complete,  and  reliable  data.  This  report  addresses 
our  review  of  selected  application  controls  over  the  Subsystem.  We  also  reviewed 
the  management  control  program  for  the  Retiree  and  Casualty  Pay  Subsystem. 

See  Appendix  A  for  a  discussion  of  the  audit  scope  and  methodology,  and 
Appendix  B  for  a  summary  of  prior  coverage  related  to  the  audit  objectives. 
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Accuracy  of  Information  in  the  Retiree 
and  Casualty  Pay  Subsystem 

The  DFAS  Cleveland  Center  did  not  folly  implement  or  maintain  controls 
over  the  accuracy  of  information  in  the  Subsystem.  Specifically,  DFAS 
Cleveland  Center  personnel  did  not  always: 

•  review  reports  that  contained  rejected  or  potentially  erroneous 
data  and  take  corrective  actions  to  increase  the  accuracy  of  the 
retired  pay  records,  and 

•  update  standard  operating  procedures  to  ensure  that  retired  pay 
employees  understand  their  duties  and  enter  only  authorized 
information  into  the  retired  pay  records. 

Controls  were  not  folly  implemented  or  maintained  because  DFAS 
Cleveland  Center  managers  did  not  always  develop  or  enforce  policies  for 
reviewing  reports  that  contained  errors  and  rejected  transactions,  and  did 
not  consistently  update  operating  procedures.  Without  adequate  standard 
operating  procedures,  the  retired  pay  employees  could  not  ensure  that  data 
entered  into  the  subsystem  were  correct.  Further,  if  controls  are  not 
maintained  over  error  and  rejection  reports  and  standard  operating 
procedures,  there  is  increased  risk  that  erroneous  or  fraudulent  transactions 
may  not  be  detected  in  a  timely  manner  to  prevent  or  con  ect  misstatements 
in  retired  pay  records  or  the  financial  statements  of  the  Military  Retirement 
Trust  Fund. 


Guidance  for  Internal  Control  Systems 

Office  of  Management  and  Budget  (OMB)  Circular  No.  A- 127,  "Financial 
Management  Systems,"  June  23,  1993,  states  that  financial  management  systems 
shall  include  a  system  of  internal  controls  to  ensure  that  reliable  data  are  obtained, 
maintained,  and  disclosed  in  reports. 

OMB  Circular  No  A- 127  also  states  that  agencies  shall  apply  appropriate  internal 
controls  to  all  system  inputs,  processing,  and  outputs  in  accordance  with  OMB 
Circular  No.  A-123,  "Management  Accountability  and  Control,”  June  21,  1995. 
OMB  Circular  No.  A-123  requires  management  controls  to  include  assurances  that 
revenues  and  expenditures  are  properly  recorded  and  accounted  for,  and  that 
reliable  and  timely  information  is  collected  and  properly  maintained. 

To  implement  adequate  management  controls,  DoD  should  ensure  that  minimum 
controls  exist  in  an  application  system.  (An  application  system  is  typically  a  group 
of  computer  programs  that  process  information  for  a  specific  function  such  as 
retired  payroll.)  Application  controls  are  the  policies  and  procedures  that,  when 
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implemented,  provide  assurance  that  transactions  are  valid,  properly  authorized, 
and  completely  and  accurately  processed.  The  four  major  categories  of  application 
controls  are: 

•  authorization  controls, 

•  completeness  controls, 

•  accuracy  controls,  and 

•  controls  over  integrity  of  processing  and  data  files. 

See  Appendix  D  for  a  definition  of  the  major  categories  of  application  controls. 


Controls  Over  Accuracy  of  Retired  Payments 


DFAS  had  implemented  controls  to  ensure  that  data  were  complete  and  reliable. 
However,  the  DFAS  Cleveland  Center  did  not  fully  implement  or  maintain  controls 
over  the  accuracy  of  retiree  information  in  the  Subsystem.  Specifically,  the  DFAS 
Cleveland  Center  needs  additional  controls  over  reviewing  reports  containing 
rejected  and  erroneous  transactions,  and  over  the  updating  of  standard  operating 
procedures  to  reflect  current  operations. 

Monitoring  and  Correcting  Errors  and  Rejections  in  Retired  Pay  Reports. 

DFAS  Cleveland  Center  personnel  were  not  fully  monitoring  and  correcting  errors 
and  rejections  shown  in  retired  pay  reports.  The  DFAS  Cleveland  Center 
produced  a  total  of  410  daily,  monthly,  quarterly,  and  annual  management  reports 
that  included  error  and  rejection  reports.  We  judgmentally  selected  eight  error  and 
rejection  reports  that  could  have  the  most  significant  impact  on  the  reliability  of  the 
financial  statements  and  the  Subsystem  if  information  was  inaccurate  or 
incomplete.  These  reports  were  critical  controls  for  reducing  the  risk  of 
unauthorized  or  fraudulent  activity  because  they  identified  discrepancies  in  the 
retiree  pay  records. 

We  concluded  that  DFAS  Cleveland  Center  personnel  did  not  adequately  review 
the  eight  error  and  rejection  reports  because: 

•  over  35  percent  of  the  transactions  on  two  of  eight  error  and  rejection 
reports  lacked  documentation  to  show  that  supervisors  performed  the 
reviews  required  by  management; 

•  retired  pay  personnel  did  not  review  three  of  eight  error  and  rejection 
reports  to  ensure  that  account  information  and  payments  were  correct; 
or 

•  documentation  was  not  retained  or  annotated  for  three  of  eight  reports 
to  establish  a  historical  record  of  changes  made  to  retiree  pay  accounts; 
therefore,  an  audit  trail  was  lacking. 
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Management  Policy  for  Reviewing  Reports.  Managers  at  the  DFAS 
Cleveland  Center  stated  that  supervisors  should  review  each  retiree  pay  account 
on  both  the  “Deleted  Masters  Report”  and  the  “Computed  Exception  Report” 
to  ensure  that  the  accounts  were  properly  deleted  or  established.  The  2  reports 
analyzed  during  this  audit  contained  713  accounts;  no  documentation  was 
available  to  verify  that  250  (35.1  percent)  of  the  accounts  were  reviewed 
according  to  management  policy. 

•  The  purpose  of  the  “Deleted  Masters  Report”  was  to  identify  retiree 
accounts  that  were  deleted  from  the  Subsystem.  Management  required 
that  supervisors  review  every  transaction  on  this  report  to  ensure  that 
the  accounts  were  deleted  for  the  appropriate  reasons.  We  were  unable 
to  verify  that  223  (34.5  percent)  of  646  retiree  accounts  were  properly 
reviewed. 

•  The  “Computed  Exception  Report”  included  retiree  pay  accounts 
adjusted  by  retired  pay  personnel  at  the  DFAS  Cleveland  Center,  using 
abnormal  procedures  that  allowed  them  to  override  existing  controls. 
According  to  the  DFAS  Cleveland  Center’s  standard  operating 
procedure,  dated  August  12,  1996,  supervisors  must  review  this  report 
within  5  working  days  after  it  is  produced.  The  “Computed  Exception 
Reports”  we  reviewed  were  not  marked  to  show  that  26  (38.8  percent) 
out  of  67  retiree  accounts  were  reviewed.  Review  of  the  accounts  on 
this  report  was  critical  because  some  DFAS  retired-pay  employees  had 
the  ability  to  create  accounts  without  supporting  documentation  or 
authorization. 

Frequency  of  Reviews  on  Reports.  We  identified  three  reports  that  had 
no  evidence  of  reviews  performed  by  the  DFAS  Cleveland  Center.  Although 
the  “Retired  Payment  File  -  Summary  -  Daily  -  Checks  Report,”  the  “Retired 
Payment  File  -  Listing  -  Daily  -  Checks  Report,”  and  the  “Defense  Joint  Military 
Pay  System  Non-Match  Report”  were  frequently  produced  at  the  DFAS 
Cleveland  Center,  management  did  not  require  reviews  on  the  pay  accounts  in 
these  reports. 

•  The  “Retired  Payment  File  -  Summary  -  Daily  -  Checks  Report”  and  the 
“Retired  Payment  File  -  Listing  -  Daily  -  Checks  Report”  contained 
payments  for  new  retirees.  These  payments  were  computed  for  a  partial 
month  when  a  new  account  had  existed  less  than  1  month.  DFAS 
Cleveland  Center  supervisors  did  not  routinely  review  the  reports 
because  they  believed  that  sufficient  controls  were  in  place  to  identify 
any  discrepancies  in  the  daily  payments.  However,  management 
acknowledged  the  usefulness  of  these  reports  for  reconciling  imbalances 
between  the  total  disbursements  made  to  retirees  and  the  amounts  of 
disbursements  recorded  in  the  retired  pay  file.  Therefore,  these  reports 
should  be  produced,  reviewed,  and  stored  in  files  to  document  the 
reconciliation  of  differences  between  actual  payments  and  the 
accounting  record  (the  retired  pay  file). 

Also,  a  standard  operating  procedure  was  needed  for  the  “Retired 
Payment  File  -  Summary  -  Daily  -  Checks  Report”  and  the  “Retired 
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Payment  File  -  Listing  -  Daily  -  Checks  Report.”  Development  of  these 
standard  operating  procedures  will  provide  greater  assurance  that  pay 
technicians  have  guidance  reflecting  the  procedures  for  reviewing, 
correcting,  and  documenting  discrepancies  between  payments  and 
accounting  records. 

•  The  “Defense  Joint  Military  Pay  System  Non-Match  Report”  identified 
retirees  that  were  recorded  in  the  Subsystem,  but  were  not  recorded  in 
the  Defense  Joint  Military  Pay  System.  The  Defense  Joint  Military  Pay 
System  processes  pay  for  all  active  duty  personnel;  therefore,  matching 
the  pay  accounts  on  the  Defense  Joint  Military  Pay  System  with  the  pay 
accounts  on  the  Subsystem  ensures  that  the  retiree  was  previously  on 
active  duty  and  the  account  is  valid.  The  DFAS  Cleveland  Center’s 
management  determined  that  this  report  did  not  need  to  be  reviewed 
because  the  Military  Department  personnel  offices  must  submit 
retirement  documentation  to  the  DFAS  Cleveland  Center  before  retiree 
accounts  are  established.  However,  this  report  can  provide  a  control  for 
detecting  erroneous  or  potentially  fraudulent  pay  accounts  and  should  be 
reviewed.  All  reviews  should  be  documented  and  stored  on  file. 

Documentation  Supporting  Reviews  of  Reports.  The  DFAS  Cleveland 
Center’s  management  required  supervisors  to  review  transactions  appearing  on 
the  “Death  Notice  Processing  Report,”  the  “Notice  of  Death  Error  Control 
Log,”  and  the  “Allotment  Reconciliation  Reject  List.”  However,  we  were 
unable  to  test  compliance  with  this  requirement  because  supervisors  did  not 
retain  or  annotate  the  reports  to  indicate  that  any  reviews  were  made. 

•  The  “Death  Notice  Processing  Report”  listed  rejections,  discrepancies, 
and  warnings  that  a  notice  of  death  may  be  incorrect.  (The  “Notice  of 
Death  Error  Control  Log”  listed  the  rejections  and  discrepancies  from 
the  “Death  Notice  Processing  Report.”)  Management  required  retired 
pay  technicians  to  provide  corrections  of  death  notices  to  a  reviewer 
who  checked  the  corrections  and  annotated  the  “Notice  of  Death  Error 
Control  Log.”  We  were  unable  to  test  the  reviewers’  compliance  with 
management  policy  because  management  did  not  require  that  either  of 
the  reports  be  annotated  or  retained  on  file. 

•  The  “Allotment  Reconciliation  Reject  List”  identified  discrepancies 
between  the  Subsystem  and  the  Allotment  Master  File.  Pay  technicians 
manually  corrected  the  accounts  and  provided  the  changes  to  their 
supervisors.  Management  required  the  supervisors  to  review  all 
allotment  payments  over  $5,000.  We  were  unable  to  test  compliance 
with  this  requirement  because  management  does  not  require  supervisors 
to  annotate  the  reports.  All  reviews  should  be  annotated  in  the  reports 
to  validate  that  the  changes  were  made. 

Adequacy  of  Standard  Operating  Procedures.  Standard  operating  procedures 
were  not  always  complete  or  up-to-date  and  did  not  provide  assurance  that  data 
entered  into  the  Subsystem  were  authorized  and  correct.  As  of  June  1,  1998,  the 
DFAS  Cleveland  Center  had  a  total  of  125  standard  operating  procedures  for 
inputting  and  adjusting  retired  pay  data  in  the  Subsystem.  We  reviewed  18 
processes  described  in  55  standard  operating  procedures  that  could  have  the  most 
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significant  impact  on  the  reliability  of  information  in  the  financial  statements  and 
the  Subsystem.  These  55  procedures  provided  guidance  on  retired  pay  processes 
such  as  the  establishment  of  new  retired  pay  accounts,  the  initiation  of  payments 
and  vouchers,  certifications  of  death,  and  the  maintenance  of  existing  accounts. 

The  DFAS  Cleveland  Center  did  not  have  standard  operating  procedures  for  three 
additional  processes  that  we  considered  significant  in  creating  a  retiree  account. 

Of  the  18  processes  reviewed,  7  (38.9  percent)  lacked  the  necessary  standard 
operating  procedures  or  did  not  include  all  the  standard  operating  procedures 
needed  to  properly  process  a  transaction.  Without  adequate  standard  operating 
procedures,  the  retired  pay  employees  could  not  ensure  that  data  entered  into  the 
subsystem  were  correct.  The  seven  processes  reviewed  were  used  to  complete  the 
following  actions: 

•  reducing  retirees’  pay  to  fulfill  child  support  or  alimony  obligations, 

•  authorizing  past-due  payments  to  beneficiaries  of  deceased  retirees, 

•  transferring  retirees  from  the  temporary  disability  retired  list  to  the 
permanent  disability  retired  list, 

•  adjusting  retirements  after  January  1,  1971,  to  the  sarrejpay  as  earlier 
retirements, 

•  computing  retired  pay  based  on  the  highest  average  military  salary, 

•  processing  name  changes,  and 

•  adjusting  retirees’  pay  accounts  based  on  recall  to  active  military 
service. 

In  addition,  the  Quality  Assurance  Branch  in  the  Retired  Pay  Directorate  had  also 
determined  that  standard  operating  procedures  for  the  Subsystem  were  incomplete 
and  had  not  been  updated. 

The  DFAS  Cleveland  Center  has  made  progress  in  updating  standard  operating 
procedures  for  the  Subsystem.  From  April  through  August  1998,  the  DFAS 
Cleveland  Center  had  updated  one  process  and  was  in  the  process  of  updating 
another  process.  These  two  processes  are  part  of  the  seven  identified  in  this  report 
that  lacked  the  necessary  procedures  to  record  transactions  correctly. 

Continued  emphasis  on  updating  processes  within  the  standard  operating 
procedures  will  provide  greater  assurance  that  pay  technicians  have  guidance  that 
reflects  current  operations,  including  significant  changes  made  to  the  Subsystem 


Conclusion 


DFAS  Cleveland  Center  personnel  did  not  always  review  error  and  rejection 
reports,  which  affected  their  ability  to  determine  whether  retiree  accounts  were 
accurate.  In  addition,  managers  at  the  DFAS  Cleveland  Center  did  not  always 
ensure  that  standard  operating  procedures  were  developed  for  reviewing  error  and 
rejection  reports  and  that  existing  procedures  were  enforced.  Also,  DFAS 
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Cleveland  Center  personnel  needed  to  update  standard  operating  procedures  to 
ensure  that  retired  pay  employees  understood  their  duties  and  entered  only 
authorized  information. 

The  absence  of  adequate  application  controls  in  the  Subsystem  increases  the 
possibility  that  unauthorized  or  fraudulent  activity  may  occur  or  may  not  be 
detected  promptly  to  prevent  misstatements  in  the  financial  statements  of  the 
Military  Retirement  Trust  Fund.  Also,  the  absence  of  these  controls  lowers 
managers’  confidence  in  the  authorization  and  the  accuracy  of  retired  payments. 


Recommendations 

We  recommend  that  the  Director,  Defense  Finance  and  Accounting  Service, 
Cleveland  Center: 

1 .  Develop  new  review  procedures  and  enforce  existing  review  procedures 
for  all  critical  reports  generated  by  the  Retiree  and  Casualty  Pay  Subsystem; 
document  and  maintain  an  audit  trail  of  supervisory  reviews  of  corrective  actions 
by  technicians. 

2.  Update  standard  operating  procedures  for  the  five  processes  identified  in 
our  review;  create  standard  operating  procedures  for  the  three  processes  used  in 
creating  a  retiree  account;  and  review  the  remaining  standard  operating  procedures 
and  update  them,  if  necessary,  to  reflect  current  operations  for  the  Retiree  and 
Casualty  Pay  Subsystem. 


Management  Comments  Required 


The  Director,  DFAS  did  not  comment  on  a  draft  of  this  report.  We  request  that 
DFAS  provide  comments  on  the  final  report. 
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Appendix  A.  Audit  Process 


Scope  and  Methodology 


We  reviewed  application  controls  related  to  the  Subsystem  of  the  DRAS. 
Specifically,  we: 

•  reviewed  error  and  rejection  reports, 

•  evaluated  controls  over  the  authorization  of  transactions, 

•  evaluated  controls  for  the  detection  of  input  errors, 

•  reviewed  written  procedures  for  retired  pay  operations , 

•  evaluated  controls  for  ensuring  that  information  processed  by  the  system 
was  complete  and  accurate,  and 

•  reviewed  procedures  for  verifying  the  completeness  of  account  updates. 

We  also  reviewed  policies  and  procedures  for  establishing  and  maintaining 
application  controls.  This  guidance  was  provided  in  regulations,  directives, 
circulars,  or  standards  developed  by  OMB  and  DoD. 

The  Subsystem  processed  transactions  for  1.8  million  retirees  and  disbursed  a 
monthly  average  of  $2.4  billion  from  the  DoD  Military  Retirement  Trust  Fund  in 
FY  1998. 

DoD-wide  Corporate-Level  Government  Performance  and  Results  Act  Goals. 

In  response  to  the  Government  Performance  and  Results  Act,  DoD  has  established 
6  DoD-wide  corporate-level  performance  objectives  and  14  goals  for  meeting 
these  objectives.  This  report  pertains  to  achievement  of  the  following  objective 
and  goal. 

•  Objective:  Fundamentally  reengineer  DoD  and  achie ;/e  a  21st  century 
infrastructure.  Goal:  Reduce  costs  while  maintaining  required  military 
capabilities  across  all  DoD  mission  areas.  (DoD-6) 

DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  the  achievement  of  the  following  functional  area  objectives  and 
goals. 

•  Financial  Management  Functional  Area.  Objective:  Strengthen 
internal  controls.  Goal:  Improve  compliance  with  the  Federal 
Managers’  Financial  Integrity  Act.  (Financial  Management-5.3) 

•  Information  Technology  Management  Functional  Area.  Objective: 

Provide  services  that  satisfy  customer  information  needs.  Goal: 
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Improve  information  technology  management  tools.  (Information 
Technology  Management-2.4) 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
has  identified  several  high-risk  areas  in  DoD.  This  report  provides  coverage  of  the 
Defense  Financial  Management  and  the  Information  Management  and  Technology 
high-risk  areas. 

Use  of  Computer-Processed  Data.  We  relied  on  computer-processed  data  from 
the  Subsystem  to  determine  the  adequacy  of  the  application  controls  used. 
Although  we  did  not  make  a  formal  reliability  assessment  of  the  computer- 
processed  data,  the  documentation  obtained  generally  agreed  with  the  computer- 
processed  data.  We  did  not  find  errors  that  would  preclude  the  use  of  the 
computer-processed  data  to  meet  the  audit  objectives  or  that  would  change  the 
conclusions  in  this  report. 

Review  Period  and  Standards.  We  performed  this  financial-related  audit  from 
December  1997  through  January  1999  in  accordance  with  auditing  standards 
issued  by  the  Comptroller  General  of  the  United  States,  as  implemented  by  the 
Inspector  General,  DoD.  Accordingly,  we  included  tests  of  management  controls 
considered  necessary. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  on  request. 


Management  Control  Program 


DoD  Directive  5010.38,  "Management  Control  Program,"  August  26,  1996, 
requires  DoD  organizations  to  implement  a  comprehensive  system  of  management 
controls  that  provides  reasonable  assurance  that  programs  are  operating  as 
intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  Management  Control  Program.  The  scope  of  review  of  the 
management  control  program  included  reviews  of  the  adequacy  of  application 
controls  over  the  Subsystem.  We  evaluated  management  controls  over  the 
authorization,  completeness,  accuracy,  and  integrity  of  processing  and  data  files. 
Because  we  did  not  identify  a  material  weakness  other  than  the  weakness  disclosed 
inDFAS  Cleveland  Center’s  management  control  review,  we  did  not  assess 
management’s  self  evaluation. 

Adequacy  of  Management  Controls.  The  DFAS  Cleveland  Center’s  application 
controls  over  the  Subsystem  could  be  improved.  Specifically,  improvements  were 
needed  in  monitoring  error  and  rejection  reports  and  ensuring  the  adequacy  of 
standard  operating  procedures.  See  Appendix  C  for  information  on  the 
Vulnerability  Analysis  and  Assessment  Program. 

The  DFAS  Cleveland  Center  conducted  a  management  control  review  that 
identified  a  material  weakness  in  reconciling  the  Subsystem  with  the  Military 
Department  personnel  systems.  No  reconciliations  have  been  made  between  the 
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Subsystem  and  the  Army,  Navy,  or  Air  Force  personnel  systems  to  assist  in  the 
timely  resolution  of  discrepancies  and  to  identify  potentially  fraudulent  or 
erroneous  pay  accounts. 

The  DFAS  Cleveland  Center  has  taken  action  to  correct  this  weakness  by 
submitting  data  on  pay  accounts  to  the  Military  Department  personnel  systems. 
The  DFAS  Cleveland  Center  will  monitor  and  validate  the  reconciliation  process. 

The  recommendations  in  this  report,  if  implemented,  will  improve  application 
controls  over  the  Subsystem.  . 
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Appendix  B.  Summary  of  Prior  Co\  erage 


The  following  Inspector  General,  DoD,  reports  covered  issues  related  to  this  audit. 

Report  No.  97-177,  “Internal  Controls  and  Compliance  With  Laws  and 
Regulations  for  the  DoD  Military  Retirement  Trust  Fund  Financial  Statements  for 
FY  1996,”  June  25,  1997. 

Report  No.  97-052,  “Vendor  Payments  -  Operation  Mongoose,  Fort  Belvoir 
Defense  Accounting  Office  and  Rome  Operating  Location,”  December  23, 1996. 

Report  No.  96-175,  “Computer  Security  Over  the  Defense  Joint  Military  Pay 
System,”  June  25,  1996. 

Report  No.  96-124,  “Selected  General  Controls  Over  the  Defense  Business 
Management  System,”  May  21,  1996. 

Report  No.  96-053,  “Follow-up  Audit  of  Controls  Over  Operating  System  and 
Security  Software  and  Other  General  Controls  for  Compi  ter  Systems  Supporting 
the  Defense  Finance  and  Accounting  Service,”  January  3,  1996. 

Report  No.  95-263,  “Controls  Over  Operating  System  and  Security  Software  and 
Other  General  Controls  for  Computer  Systems  Supporting  the  Defense  Finance 
and  Accounting  Service,”  June  29,  1995. 

Report  No.  94-060,  “General  Controls  for  Computer  Systems  at  the  Information 
Processing  Centers  of  the  Defense  Information  Services  Organization,”  March  18, 
1994. 
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Appendix  C.  Other  Matters  of  Interest 


Vulnerability  Analysis  and  Assessment  Program 

General  Accounting  Office  Report  No.  AIMD-96-84  (OSD  Case  No.  1 150), 
“Information  Security:  Computer  Attacks  at  Department  of  Defense  Pose 
Increasing  Risk,”  May  1996,  states  that  based  on  information  obtained  from  DISA, 
DoD  may  have  experienced  as  many  as  250,000  computer  attacks  in  previous 
years.  Of  that  number,  approximately  65  percent  may  have  been  successful  in 
penetrating  DoD  systems.  Further,  the  number  of  attacks  is  likely  to  increase,  as 
Internet  use  increases,  along  with  the  sophistication  of  hackers  and  their  tools. 

No  specific  DoD-wide  policy  exists  that  requires  a  vulnerability  assessment  or 
criteria  for  prioritizing  the  areas  exposed  to  the  highest  risk  of  an  attack.  In  1992, 
DISA  established  a  Vulnerability  Analysis  and  Assessment  Program  to  identify 
vulnerabilities  in  DoD  information  systems.  The  team  that  administers  the 
Vulnerability  Analysis  and  Assessment  Program  has  the  authority  to  test  any 
system  supported  by  the  DISA  network  without  first  notifying  personnel  at  the 
site  Testing  of  systems  external  to  DISA  is  performed  on  request  only. 

During  this  audit,  we  reviewed  the  use  of  the  Vulnerability  Analysis  and 
Assessment  Program  at  the  Defense  Megacenters  that  process  transactions  for 
DRAS.  DISA  processed  transactions  for  DRAS  at  its  Defense  Megacenters  in 
Chambersburg,  Pennsylvania,  and  Denver,  Colorado.  Transactions  for  the 
Annuitant  Pay  Subsystem  were  processed  at  the  Defense  Megacenter  in  Denver, 
Colorado. 

•Although  DISA  has  tested  6  of  the  16  Defense  Megacenters  for  vulnerabilities,  it 
has  not  begun  the  Vulnerability  Analysis  and  Assessment  Program  at  the  Defense 
Megacenter  in  Denver.  If  people  with  wrongful  intentions  are  able  to  exploit 
weaknesses  at  the  Defense  Megacenter  in  Denver,  the  Annuitant  Pay  Subsystem’s 
operations  could  be  disrupted,  affecting  the  payments  of  over  257,000  annuitants. 
This  could  also  materially  affect  the  financial  statements  because  the  Annuitant  Pay 
Subsystem  disbursed  a  monthly  average  of  $144  million  from  the  DoD  Military 
Retirement  Trust  Fund  in  FY  1998. 

DISA  informed  us  that  it  plans  to  complete  the  Vulnerability  Analysis  and 
Assessment  Program  for  all  Defense  Megacenters  by  May  2000.  DISA  must 
follow  through  as  expeditiously  as  possible  to  prevent  any  potential  security 
problems  and  to  protect  the  integrity  of  DRAS. 
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Appendix  D.  Major  Categories  of  Application 
Controls 


We  evaluated  four  major  categories  of  application  controls.  Those  categories 
included  controls  over  the  authorization,  completeness,  accuracy,  and  integrity  of 
processing  and  data  files. 

Authorization  Controls.  These  controls  are  closely  associated  with 
management’s  declaration  on  the  financial  statements  (commonly  called 
management’s  assertions)  concerning  the  validity  of  transactions  and  the  actual 
occurrence  of  transactions  in  a  given  period. 

Completeness  Controls.  These  controls  directly  relate  to  management’s  assertion 
on  the  completeness  of  transactions,  or  whether  all  valid  transactions  are  recorded 
and  properly  classified. 

Accuracy  Controls.  The  accuracy  controls  are  most  din  otly  related  to 
management’s  assertion  that  transactions  are  recorded  in  he  correct  amounts. 
These  controls  are  not  limited  to  financial  information,  but  also  address  the 
accuracy  of  other  data. 

Controls  Over  Integrity  of  Processing  and  Data  Files.  Integrity  controls,  if 
deficient,  could  nullify  each  of  the  above  controls,  allow  the  occurrence  of 
unauthorized  transactions,  and  contribute  to  incomplete  and  inaccurate  data. 
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Appendix  E.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Assistant  Secretary  of  Defense  (Public  Affairs) 

Director,  Defense  Logistics  Studies  Information  Exchange 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 
Superintendent,  Naval  Postgraduate  School 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Finance  and  Accounting  Service  Cleveland  Center 
Director,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
Defense  Systems  Management  College 
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Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform 

House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International  Relations, 
Committee  on  Government  Reform 
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The  Finance  and  Accounting  Directorate,  Office  of  the  Assistant  Inspector  General 
for  Auditing,  DoD,  prepared  this  report. 
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